CCPA Privacy Disclosure

Privacy Notice Pursuant to the California Consumer Privacy Act (CCPA)

Effective Date: March 1, 2024

Last Updated: March 1, 2024


First Financial Bank, its affliates and subsidiaries, are committed to protecting the personal data and privacy of individuals for whom we provide financial services. This Privacy Notice supplements the information contained in First Financial Bank’s Privacy Notice and applies solely to all visitors, users, and others who reside in the State of California (“customer” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable California privacy laws. Any terms defined in the CCPA and CPRA have the same meaning when used in this notice. We will process your personal information as described below on the basis of our legitimate interest in fulfilling our service commitment to you.

Information We Collect

The following categories of personal information are collected from you at the time you request services from First Financial Bank/or at the time you use First Financial Bank’s Website. This information identifies, relates to, describes, references or is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular customer (“personal information”). In particular, in the last twelve (12) months, the following categories of personal information have been collected:

Category Examples Collected by Agile Premium Finance?
A. Identifiers

A real name, alias, postal address, email address or other similar identifiers.


B. Personal Information categories listed in the California Customer Records Statute (CA Civil Code 1798.80(e)).

A name, signature, address, telephone number, insurance policy number, and bank account number. Some personal information included in this category may overlap with other categories.


C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).


D. Commercial Information. Records of personal property, products or services purchased, obtained or considered, or other purchasing or consumer histories, or tendencies. No
E. Biometric information as Defined in the CPRA. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait or other physical patterns, and sleep, health, or exercise data. No
F. Internet or other similar network activity.

Browsing history, search history, information on a consumer’s interaction with a website, application or advertisement.

G. Geolocation data. Physical location or movements. No
H. Sensory data. Audio, electronic, visual, thermal, olfactory or similar information. No
I. Professional or employment-related information. Current or past job history. No
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232(g), 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institute or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. No
K. Inferences drawn from other personal information. Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. No
L. Sensitive personal information. Personal information that reveals a consumer’s social security, driver’s license, or state identification card, a consumer’s account log-in or financial account that may be kept in combination with required credentials or passwords in order to open an account, a consumer’s geolocation, and a consumer’s racial or ethnic origin as required by federal law. Passwords and other “credentials” are encrypted at rest. No

Personal information does not include:

  • Publicly available information.
  • De-identified or aggregated consumer information.
  • Information excluded from CCPA’s scope, such as:
    • Health or medication information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data.
    • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Drivers Privacy Protection Act of 1994.

How We Collect Personal Data

First Financial Bank obtains the categories of personal information listed above from the following categories of sources: (1) Directly from you at the time you request services from First Financial Bank; (2) Directly from you at the time you use First Financial Bank’s websites; (3) Indirectly from you when observing your actions on our website; or (4) From third-parties, including credit bureaus, that provide services for the transactions and products that we provide.

How We Use Personal Data

We will use or disclose your personal data for one or more of the following business purposes: (i) to determine whether you are a “specifically designated national” (SDN) pursuant to the Office of Foreign Assets Control (OFAC), (ii) to comply with 31 CRF Part 1010, et seq. (Customer Due Diligence Requirements), (iii) to determine whether you meet the required underwriting criteria for the requested loan, and/or (iv) as otherwise necessary to process, service and collect your loan (collectively, the “Loan Requirements”). We may also use or disclose the personal information we collect to respond to law enforcement requests and as required by applicable law, court order or governmental regulations; or, as described to you when collecting your personal information; or, as otherwise set forth in the CCPA (collectively, the “Legal Requirements”). In compliance with 12 CFR Part 1002 (Regulation B), the Records Management Policy of First Financial Bank (FFB), and applicable legal, regulatory and business requirements, First Financial Bank maintains the foregoing categories of your personal information (collectively, the “Banking Requirements,” and collectively, with the Loan Requirements and Legal Requirements, the “Permissible Purposes”).

We may also need to gather personal information from you for the following business purposes: for the operation and offering of our financial services, to maintain quality of the service, to inform you of other products and services available from First Financial Bank and its affiliates, and to provide general statistics regarding use of the First Financial Bank website. Moreover, your e-mail, name, address and/or telephone number may also be used by First Financial Bank to contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered. We collect this information as needed to provide these financial services or to conduct these surveys.

First Financial Bank will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated or incompatible purposes without providing you notice.

Sharing Personal Information

We do not “sell” your “personal information” as defined by the CCPA and accordingly we do not offer a “do not sell” opt-out. Over the past twelve (12) months we have engaged in the use of third party cookies and pixels to obtain online identifiers, device information, and internet or other electronic network activity information, and provided this information to third party service providers. The third party service providers only use deidentified data for purposes of facilitating and improving existing services, as well as for reporting purposes. We do not knowingly sell the personal information of consumers under 18 years of age. For more information on how First Financial Bank uses third party tracking technologies, please see the "Examples of How Data is Collected" section of our Online Privacy Practices Statement.

First Financial Bank may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract. The categories of third parties with whom we share your personal information are as follows: credit bureau(s), federal and state regulatory agencies, investigation services, agencies/law firms and third party valuation companies (collectively, the “Loan Related Third Parties”).

In addition, First Financial Bank may share data with trusted partners to help us perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries or permit third parties to use, sell, license, reproduce, distribute and disclose de-identified or aggregated, non-personally identifiable data that is derived through your use of certain services (collectively, the “Business Third Parties”, and collectively with the Loan Related Third Parties, the “Third Parties”). All Business Third Parties are prohibited from using your personal information except to provide these services to First Financial Bank and you, and they are required to maintain the confidentiality of your information.

First Financial Bank will also release personal information when we believe it is required or permitted by applicable law, it is necessary to protect our interests, to prevent fraud or other illegal activity, and to protect the safety of any person. Nothing in this Notice is intended to limit any legal defenses or objections that you may have to a third party’s, including a government’s, request to disclose your information.

Your Rights and Choices

The CCPA and CPRA gives California residents specific rights about our collection and use of the personal information we have collected, used, and disclosed over the past twelve (12) months. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that First Financial Bank disclose to you certain information about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable customer request (“Request to Know”) , we will make an individualized disclosure to you about:

  • Categories of personal information we collected about you;
  • Categories of sources for the personal information we collected about you;
  • Our business or commercial purpose for collecting the personal information;
  • Categories of third parties with whom we share that personal information;
  • Specific pieces of personal information we collected about you (also called a data portability request);
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and,
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Limit Use and Disclosure of Sensitive Personal Information

The CPRA now gives California Residents the right to limit the use and disclosure of sensitive personal information (“Right to Limit”). First Financial Bank does not collect, use, or disclose sensitive personal information without your prior consent, and we only use the sensitive personal information as necessary to perform the services you want or have requested. We only retain sensitive personal information for as long as reasonably necessary to fulfill the purpose disclosed upon collection.

Your Right to Request Correction and Deletion of Personal Data

California residents have the right to request that we correct inaccurate personal information or delete the personal information that we have collected and retained (“Request to Correct” or “Request to Delete”). Upon First Financial Bank’s receipt of a verifiable request to correct or delete personal information, we shall correct or delete the personal information from our records and will direct any service providers to correct or delete your personal information from their records.

However, please note that First Financial Bank may deny your deletion request and need not comply with this request (and need not ask service providers to comply with a deletion request) if retaining the information is necessary to perform certain functions or commitments, including: completing the transaction for which the personal information was collected; providing a service requested; otherwise performing our contract with you or taking reasonably anticipated actions within the context of our ongoing business relationship with you; detecting security incidents and protecting against malicious, deceptive or otherwise illegal activity or to prosecute those responsible for those activities; complying with a/any legal or regulatory obligation or otherwise using the personal information, internally, in a lawful manner; complying with the California Electronic Communications Privacy Act; or for a purpose otherwise contemplated by Cal. Civ. Code Section 1798.105(c)-(d) or as otherwise amended.

Exercising Access, Data Portability, Limit Use, Correction, and Deletion Rights

To exercise the access, data portability, limit use, correction, and deletion rights described above, please submit a verifiable customer request to us by either:

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf may make a verifiable customer request related to your personal information. You may also make a verifiable customer request on behalf of your minor child.

You may only make a verifiable customer request for access or data portability twice within a 12-month period. The verifiable customer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative;
  • Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Therefore, we reserve the right to request additional information from you to allow us to verify your request before we respond. We also reserve the right to refuse a Request to Know, a Request to Correct, or a Request to Delete, if we believe the request is fraudulent or may compromise the security of personal information. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable customer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We will let you know that we received your request within ten (10) days of receipt and give you information regarding how we will process your request and we endeavor to respond to a verifiable customer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding the verifiable customer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable customer request unless it is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.


We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not: deny you goods or services; charge you different prices or rates; provide you a different level or quality of goods or services; or suggest that you may receive a different price or rate or a different level or quality of goods or services. We may offer certain financial incentives permitted by the CCPA that can result in different prices, rates or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects.

Changes to our Privacy Notice

First Financial Bank reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this notice, we will post the updated notice as appropriate. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this CCPA notice, the ways in which First Financial Bank collects and uses your information, your choices and rights regarding such use, or wish to exercise your rights, you can contact us by: